I need to clarify my question. I'm wondering if there are any apps for smartphone that can log each 'keystroke' (i.e. key pressed on touchscreen) that a user does. Performing a google search brings up some links to sites like this and this. These apps do not record keystrokes, they 'only' forward sms messages, call logs, contacts and so on to the attacker. Although they call themselves keylogger, that's not what I mean.

Are 'keyloggers' impossible due to the fact that there are no 'real' keystrokes to log? Is this kind of attack simply not possible on touchscreens?

8 Answers
8

Carrier IQ is a rootkit previously installed by mobile phone operators on Android and on iOS 4 iPhones. It is capable of recording every keystroke on your virtual keyboard.
See What risk does Carrier IQ pose, exactly?

hehe, perhaps you're right. When there are no keys, there can't be any key loggers. Let's call it swipelogger™.

More seriously though, I don't think there's much of a technical barrier for malware to detect user-input, be it via a keyboard, mouse, touch screen or brain alpha-waves. As long as there's input, there's a chance to intercept it.

Agree, plus a simple search on Google would return the information confirming that they do exist.
–
blundersFeb 2 '12 at 20:09

@blunders: I'm wondering what you found using google. All I found was some crap about sms surveillance, phone call log monitoring and so on...
–
PitsFeb 2 '12 at 20:18

@Pits: Seems like you're saying you know they exist, which conflicts with "I haven't found any clues that keyloggers are existing on smartphone platforms" in my opinion. If you're talking about if a feature, or set of features, then you should clearly state that in your question.
–
blundersFeb 2 '12 at 21:25

@Pits Perhaps you should clarify your question then? i.e. ask what specific keyloggers were found on smartphones so far, or something along those lines... Your question as it stands right now is whether such an attack is impossible because there are no keys.
–
Yoav AnerFeb 2 '12 at 21:45

p.s. perhaps it's not the best link, and I'm by no means trying to promote this, but 2nd link on google search produced a link to a site that sells these kind of keyloggers, boasting to support virtually all smartphone platforms.
–
Yoav AnerFeb 2 '12 at 21:48

Yes. You could build a key logger app on a smartphone. One example is Carrier IQ.

Android does have protections to make it harder for an attacker to create and distribute a keylogger app. On Android, an everyday app cannot log the keystrokes of all other apps; there are some additional barriers to being a keylogger. However, it is possible: there are ways to build a keylogger app. Here are three ways it can happen:

Custom input method. On Android, an app can define a custom input method (aka an IME). The user can select which input method they want to use, and this input method will be used across the entire system, for every app. This allows, for instance, the Swype app to provide a custom keyboard.

A keylogger could provide a custom input method and ask the user to enable it via the IME user interface. This custom input method could secretly keep a copy of all keys entered. Thus, any Android app could be a keylogger, if you authorize it to serve as a replacement input method. However, the user does have to approve this via a special menu (a standard Android permission is not enough; the user has to actively go to "Settings >> Locale and Text >> Select input method" and select the new input method).

Pre-installed app. The carrier or phone manufacturer could provide a pre-installed app that has the ability to snoop on all keystrokes.

Signed app. I'm not sure, but I think a signed app might have the ability to snoop on all keystrokes as well. However, Google or the carrier would have to sign the app before you could install it (or you'd have to sideload the app and ignore the scary warning messages that are shown to you).

Also, since there are known variants of malware that can detect the depression of keys on an on-screen keyboard, it would be trivial for an attacker to log the coordinates of the touch screen to yield the same information on a smartphone.

As you are able to to write your own keyboards for android it could be assumed that a keyboard could be written that functions like a normal keyboard while at the same time logging the input and passing it back to the attacker. Such an application shouldn't be to hard to write.

In this moment, Mobiwol and NoRoot firewall have different feautures,
NoRoot Firewall has the advantage to "see" in the logs what is wishing to connect to the internet, while Mobiwol has the advantage of blocking "in the mass/batch" and "backgorund/foreground" internet traffic blocking.

I WONDER IF IT IS LEGAL for Phone Manufactures to implant a such keyboard spyware to send keystrokes to google. In this moment, my phone is sending every thing I type, in SMS, CALLS, BROWSER, GAMES, OFFICE, WORD, and so on to the Google Servers. I wonder why, and maybe I will take some legal action, because the phone is sending info to Google, and I had NOT agreed anywhere this thing.

Spell checker? Anyway, that latter part of your answer is obsolete and smells more of a new question than an answer, could you please edit it to only include parts relevant to answering the question presented at the top of this thread? Thanks!
–
TildalWaveMar 27 '14 at 13:43